Ask an IT admin what his/her least favorite task is, and “reimaging an infected endpoint” is bound to be near the top of the list. And for good reason: It’s a slow, tedious timesuck.
The Drawn Out Malware Reimaging Process
- Ambling out to the endpoint
- Checking that there is a backup
- Checking that the backup is uninfected and uncorrupted
- Downloading the backup
- Locating and entering license keys
- Updating drivers
- Patches and patching
- Oddball endpoint customization
- “User re-education” (aka gently reminding the user to avoid suspect files, links, or websites)
Lackluster & Misguided Results
This all adds up to at least a couple of hours under the hood restoring the endpoint to its pre-infection state. And there’s no guarantee that restoration is complete—there’s always the question of what work or data is lost between the last clean backup and time of infection. The result is lost productivity, from the workstation downtime, to time spent by IT reimaging, to possibly lost work needing to be recreated by the user.
Yet, again and again, I heard IT admins at a recent tradeshow tell the same reimaging stories. The impetus for reimaging usually revolved around this: The endpoint was infected and the admin didn’t trust his/her endpoint security to remove all the malicious code.
Not an unfounded concern. According to recent testing by independent lab AV-Test.org, many antivirus products can detect and block known malware, but many of those same products can’t completely remove the malicious files. Though while sometimes only harmless fragments of the malicious code are left behind, they can raise false positives.
(And, if the antivirus didn’t even detect and quarantine the malicious code, and it executed in memory, well, your remediation problem can turn into an IT dumpster fire. See: CryptoLocker)
But this reflexive reimaging is often unnecessary.
Why Malware Remediation Is The Smart & Easy Solution:
The goal should be finding an endpoint security solution or layer that effectively rips malware out by the roots. It’s remediation (removal) short of reimaging, the difference between a neutron bomb and your garden-variety fission bomb. Only this time, the cockroaches don’t make it.
Remediation solves the severe shortcomings of reimaging. Properly executed, remediation removes all traces of malicious code while leaving legitimate files untouched. And it should take only a few moments.
The advantages of remediation over reimaging:
- Is vastly faster to implement
- Restores all work
- Can often be done remotely over the network
- Reduces workstation/user downtime
Of course, the new breed of anti-exploit products eliminates the entire remediation/reimaging issue by preventing malware from even being dropped into the workstation in the first place. You don’t have to remove what isn’t there, right? An anti-exploit product working alongside an anti-malware product provides the layered defense that probably offers the best endpoint protection. When choosing your anti-malware product, look for security software that remediates, rather than reimages!